Uber has paid $6,500 to an Indian cybersecurity researcher, named Anand Prakash, who discovered a serious security bug. The company has already fixed it as the bug would have allowed any hacker to take over a user’s account. This also included the accounts of partners and Uber Eats users. The researcher was given permission to disclose more details of the security bug under the company’s responsible disclosure policy.
As part of the Uber’s bug bounty program, the company then awarded $6,500 to Prakash. Inc42 reported that the bug was present in the API request, where the researcher’s team members were easily able to enumerate Uber users’ UUID. APIs are leveraged to authenticate and secure two services. Prakash explained that “this was because authorization was missing on an endpoint, which resulted in access token leak of Uber mobile apps of other users by just supplying the user id.”
An Uber spokesperson said, “The bug was quickly fixed through Uber’s bug bounty program, which has paid over $2M USD to more than 600 researchers around the world, including top researchers in India. We are grateful for their contributions to help protect the Uber platform.”
Separately, in July this year, Facebook awarded a Tamil Nadu-based security researcher, named Laxman Muthiyah for spotting a major bug in Instagram. The company gave $30,000 as a part of a bug bounty program after he spotted a flaw in Facebook‘s photo-sharing Instagram app. The researcher said that the vulnerability allowed him to “hack any Instagram account without consent permission.”
The researcher asserted that hacking anyone’s Instagram account was easy by just triggering a password reset, requesting a recovery code. “I reported the vulnerability to the Facebook security team. They were unable to reproduce it initially due to the lack of information in my report. After a few email and proof of concept video, I could convince them the attack is feasible,” Muthiyah said.